By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I allow users to upload only certain file types to my Amazon S3 bucket?

2 minute read
0

I want to store only certain file types on my Amazon Simple Storage Service (Amazon S3) bucket. I want to limit uploads so that my bucket accepts only those file types.

Resolution

Add statements to your bucket policy that allow or deny the following actions:

  • Allow the s3:PutObject action only for objects that have the extension of the file type that you want.
  • Explicitly deny the s3:PutObject action for objects that don't have the extension of the file type that you want.
    Note: This explicit deny statement applies the file-type requirement to users with full access to your Amazon S3 resources.

For example, this bucket policy allows the s3:PutObject action to exampleuser only for objects with .jpg, .png, or .gif file extensions:

Warning: This example bucket policy includes an explicit deny statement. If a user doesn't meet the specified conditions, then even the user who sets up the bucket policy can have their access to the bucket denied. Therefore, carefully review the bucket policy before you save it. If you accidentally lock the bucket, then see I accidentally denied everyone access to my Amazon S3 bucket. How do I regain access?

{
  "Version": "2012-10-17",
  "Id": "Policy1464968545158",
  "Statement": [
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:user/exampleuser"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.png",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.gif"
      ]
    },
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "NotResource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.png",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.gif"
      ]
    }
  ]
}

Note:

  • For the first Principal value, list the Amazon Resource Names (ARNs) of the users that you want to grant upload permissions to.
  • For the Resource and NotResource values, replace DOC-EXAMPLE-BUCKET with the name of your bucket.
  • When you specify resources in the bucket policy, the bucket policy evaluation is case-sensitive. A bucket policy that denies s3:PutObject actions for NotResource arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg allows you to upload my_image.jpg. However, if you try to upload my_image.JPG, then Amazon S3 returns an Access Denied error.
AWS OFFICIAL
AWS OFFICIALUpdated a year ago
8 Comments

You can either use Object policy or AWS Identity and Access Management (IAM) Policies: You can create an IAM policy that restricts the file types for uploading. Configure the policy to the IAM user or group that need restricted access. i.e this allows only PDF files { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSpecificFileTypes", "Effect": "Deny", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-bucket-name/*", "Condition": { "StringNotEquals": { "s3:x-amz-meta-file-type": [ "application/pdf" ] } } } ] }

Try out this and let me us know

profile picture
replied a year ago

What if an object name is not <name>.extension but just name e.g. example? Is this policy just useless then? If yes, how to make this policy "stronger"?

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

I agree with Moti, and I would like a response from AWS on his question. This article comes up as number 1 on a google search for "prevent s3 unrestricted file upload", and it's penned by an AWS employee.

But filtering on filename is not best practice security; it needs to be able to filter on the file's content to be secure. Our pen tester raised this with us and they will not accept this as a solution for restraining unrestricted file upload, as it's trivial to upload an .exe and name it .jpg.

replied 6 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 6 months ago

To address the comments made by Moti & Scott Davey above please see this blog post: Amazon GuardDuty Malware Protection

Implementing a bucket policy to block .exe file uploads can be a useful security measure, even though it may not be a foolproof solution. A malicious actor could potentially bypass the policy by renaming the .exe file to a different extension, such as .jpg, or by removing the extension altogether. However, this approach can still help reduce the chances of a user accidentally double-clicking on an .exe file, as they would need to manually rename the file back to .exe in order to run it.

In addition to the bucket policy, you can further strengthen your security by leveraging Amazon GuardDuty's Malware Protection feature. This service can help detect and protect against malware threats, providing an additional layer of security.

It's important to note that there is no single "one-size-fits-all" security solution. The more security layers you can implement, the better. By combining multiple protective measures, such as the bucket policy and Amazon GuardDuty, you can enhance the overall security of your S3 environment and reduce the risk of unauthorized or accidental access to potentially malicious files.

profile pictureAWS
replied 4 months ago

The statement that the user would have to manually rename the file extension is not accurate in all cases. Since there is no way to limit the content, and that is not checked when uploaded. Additionally, it seems that AWS takes the supplied content type over the file extension. We tested putting a bucket policy in place as described here, which did not allow certain extensions including .html. However, when uploading, the file extension was .txt but the content-type header was changed to text/html. This was accepted. In s3, the file showed as filename.txt. However, when downloaded from s3, the file name was renamed filename.html , therefore completely bypassing the bucket policy. Is there any fix for this??

replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago